From 1c0322dba06e100ed0439596bc8edcec219274c5d53a7663b48715dbc7571ea2 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 8 Feb 2021 11:22:11 +0000 Subject: [PATCH] Accepting request 869723 from home:iznogood:branches:GNOME:Factory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update to version 2.66.6: + Fix various instances within GLib where `g_memdup()` was vulnerable to a silent integer truncation and heap overflow problem (glgo#GNOME/GLib#2319). - Update to version 2.66.5: + Fix some issues with handling over-long (invalid) input when parsing for `GDate`. + Don’t load GIO modules or parse other GIO environment variables when `AT_SECURE` is set (i.e. in a setuid/setgid/setcap process). GIO has always been documented as not being safe to use in privileged processes, but people persist in using it unsafely, so these changes should harden things against potential attacks at least a little. Unfortunately they break a couple of projects which were relying on reading `DBUS_SESSION_BUS_ADDRESS`, so GIO continues to read that for setgid/setcap (but not setuid) processes. This loophole will be closed in GLib 2.70 (see issue #2316), which should give modules 6 months to change their behaviour. + Fix `g_spawn()` searching `PATH` when it wasn’t meant to. + Bugs fixed: bgo#2168, bgo#2210, bgo#2305, glgo#GNOME/GLib!1820, glgo#GNOME/GLib!1824, glgo#GNOME/GLib!1831, glgo#GNOME/GLib!1836, glgo#GNOME/GLib!1864, glgo#GNOME/GLib!1872, glgo#GNOME/GLib!1913, glgo#GNOME/GLib!1922. - Rebase/refresh patches: + glib2-dbus-socket-path.patch + glib2-fate300461-gettext-gkeyfile-suse.patch + glib2-gdbus-codegen-version.patch + glib2-suppress-schema-deprecated-path-warning.patch OBS-URL: https://build.opensuse.org/request/show/869723 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/glib2?expand=0&rev=444 --- glib-2.66.4.tar.xz | 3 -- glib-2.66.6.tar.xz | 3 ++ glib2-bgo569829-gettext-gkeyfile.patch | 26 ++++++------- glib2-dbus-socket-path.patch | 10 ++--- glib2-fate300461-gettext-gkeyfile-suse.patch | 28 +++++++------- glib2-gdbus-codegen-version.patch | 6 +-- ...press-schema-deprecated-path-warning.patch | 10 ++--- glib2.changes | 38 +++++++++++++++++++ glib2.spec | 4 +- 9 files changed, 83 insertions(+), 45 deletions(-) delete mode 100644 glib-2.66.4.tar.xz create mode 100644 glib-2.66.6.tar.xz diff --git a/glib-2.66.4.tar.xz b/glib-2.66.4.tar.xz deleted file mode 100644 index 2b62435..0000000 --- a/glib-2.66.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:97df8670e32f9fd4f7392b0980e661dd625012015d58350da1e58e343f4af984 -size 4838124 diff --git a/glib-2.66.6.tar.xz b/glib-2.66.6.tar.xz new file mode 100644 index 0000000..54dfb75 --- /dev/null +++ b/glib-2.66.6.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:80fff9c63d2725834328071c42003c311f77f91caf2285195c587c62f5638329 +size 4841768 diff --git a/glib2-bgo569829-gettext-gkeyfile.patch b/glib2-bgo569829-gettext-gkeyfile.patch index e1acd74..88c44a3 100644 --- a/glib2-bgo569829-gettext-gkeyfile.patch +++ b/glib2-bgo569829-gettext-gkeyfile.patch @@ -1,7 +1,7 @@ -Index: glib-2.56.2/glib/gkeyfile.c +Index: glib-2.66.5/glib/gkeyfile.c =================================================================== ---- glib-2.56.2.orig/glib/gkeyfile.c 2018-03-12 17:23:37.000000000 +0100 -+++ glib-2.56.2/glib/gkeyfile.c 2018-08-17 10:53:47.314889363 +0200 +--- glib-2.66.5.orig/glib/gkeyfile.c ++++ glib-2.66.5/glib/gkeyfile.c @@ -511,6 +511,7 @@ struct _GKeyFile GKeyFileFlags flags; @@ -10,7 +10,7 @@ Index: glib-2.56.2/glib/gkeyfile.c volatile gint ref_count; }; -@@ -635,6 +636,7 @@ g_key_file_init (GKeyFile *key_file) +@@ -636,6 +637,7 @@ g_key_file_init (GKeyFile *key_file) key_file->list_separator = ';'; key_file->flags = 0; key_file->locales = g_strdupv ((gchar **)g_get_language_names ()); @@ -18,7 +18,7 @@ Index: glib-2.56.2/glib/gkeyfile.c } static void -@@ -654,6 +656,12 @@ g_key_file_clear (GKeyFile *key_file) +@@ -655,6 +657,12 @@ g_key_file_clear (GKeyFile *key_file) key_file->parse_buffer = NULL; } @@ -31,7 +31,7 @@ Index: glib-2.56.2/glib/gkeyfile.c tmp = key_file->groups; while (tmp != NULL) { -@@ -873,6 +881,11 @@ g_key_file_load_from_fd (GKeyFile +@@ -874,6 +882,11 @@ g_key_file_load_from_fd (GKeyFile return FALSE; } @@ -43,7 +43,7 @@ Index: glib-2.56.2/glib/gkeyfile.c return TRUE; } -@@ -985,6 +998,11 @@ g_key_file_load_from_data (GKeyFile +@@ -986,6 +999,11 @@ g_key_file_load_from_data (GKeyFile return FALSE; } @@ -55,7 +55,7 @@ Index: glib-2.56.2/glib/gkeyfile.c return TRUE; } -@@ -2208,6 +2226,8 @@ g_key_file_get_locale_string (GKeyFile +@@ -2213,6 +2231,8 @@ g_key_file_get_locale_string (GKeyFile GError *key_file_error; gchar **languages; gboolean free_languages = FALSE; @@ -64,7 +64,7 @@ Index: glib-2.56.2/glib/gkeyfile.c gint i; g_return_val_if_fail (key_file != NULL, NULL); -@@ -2229,6 +2249,23 @@ g_key_file_get_locale_string (GKeyFile +@@ -2234,6 +2254,23 @@ g_key_file_get_locale_string (GKeyFile free_languages = FALSE; } @@ -88,7 +88,7 @@ Index: glib-2.56.2/glib/gkeyfile.c for (i = 0; languages[i]; i++) { candidate_key = g_strdup_printf ("%s[%s]", key, languages[i]); -@@ -2245,6 +2282,39 @@ g_key_file_get_locale_string (GKeyFile +@@ -2250,6 +2287,39 @@ g_key_file_get_locale_string (GKeyFile translated_value = NULL; } @@ -128,10 +128,10 @@ Index: glib-2.56.2/glib/gkeyfile.c /* Fallback to untranslated key */ if (!translated_value) -Index: glib-2.56.2/glib/gkeyfile.h +Index: glib-2.66.5/glib/gkeyfile.h =================================================================== ---- glib-2.56.2.orig/glib/gkeyfile.h 2018-02-06 17:05:56.000000000 +0100 -+++ glib-2.56.2/glib/gkeyfile.h 2018-08-17 10:53:47.314889363 +0200 +--- glib-2.66.5.orig/glib/gkeyfile.h ++++ glib-2.66.5/glib/gkeyfile.h @@ -320,6 +320,7 @@ gboolean g_key_file_remove_group #define G_KEY_FILE_DESKTOP_KEY_URL "URL" #define G_KEY_FILE_DESKTOP_KEY_DBUS_ACTIVATABLE "DBusActivatable" diff --git a/glib2-dbus-socket-path.patch b/glib2-dbus-socket-path.patch index 5da75aa..b7a9305 100644 --- a/glib2-dbus-socket-path.patch +++ b/glib2-dbus-socket-path.patch @@ -1,9 +1,9 @@ -Index: glib-2.56.2/gio/gdbusaddress.c +Index: glib-2.66.5/gio/gdbusaddress.c =================================================================== ---- glib-2.56.2.orig/gio/gdbusaddress.c 2018-08-16 22:53:19.000000000 +0200 -+++ glib-2.56.2/gio/gdbusaddress.c 2018-08-17 10:46:31.564471587 +0200 -@@ -1628,7 +1628,7 @@ g_dbus_address_get_for_bus_sync (GBusTyp - ret = g_strdup (g_getenv ("DBUS_SYSTEM_BUS_ADDRESS")); +--- glib-2.66.5.orig/gio/gdbusaddress.c ++++ glib-2.66.5/gio/gdbusaddress.c +@@ -1331,7 +1331,7 @@ g_dbus_address_get_for_bus_sync (GBusTyp + if (ret == NULL) { - ret = g_strdup ("unix:path=/var/run/dbus/system_bus_socket"); diff --git a/glib2-fate300461-gettext-gkeyfile-suse.patch b/glib2-fate300461-gettext-gkeyfile-suse.patch index 8f820ed..894ae0e 100644 --- a/glib2-fate300461-gettext-gkeyfile-suse.patch +++ b/glib2-fate300461-gettext-gkeyfile-suse.patch @@ -1,7 +1,7 @@ -Index: glib-2.56.2/glib/gkeyfile.c +Index: glib-2.66.5/glib/gkeyfile.c =================================================================== ---- glib-2.56.2.orig/glib/gkeyfile.c 2018-08-17 10:53:47.314889363 +0200 -+++ glib-2.56.2/glib/gkeyfile.c 2018-08-17 10:53:47.330889591 +0200 +--- glib-2.66.5.orig/glib/gkeyfile.c ++++ glib-2.66.5/glib/gkeyfile.c @@ -512,6 +512,7 @@ struct _GKeyFile gchar **locales; @@ -10,7 +10,7 @@ Index: glib-2.56.2/glib/gkeyfile.c volatile gint ref_count; }; -@@ -637,6 +638,7 @@ g_key_file_init (GKeyFile *key_file) +@@ -638,6 +639,7 @@ g_key_file_init (GKeyFile *key_file) key_file->flags = 0; key_file->locales = g_strdupv ((gchar **)g_get_language_names ()); key_file->gettext_domain = NULL; @@ -18,7 +18,7 @@ Index: glib-2.56.2/glib/gkeyfile.c } static void -@@ -662,6 +664,12 @@ g_key_file_clear (GKeyFile *key_file) +@@ -663,6 +665,12 @@ g_key_file_clear (GKeyFile *key_file) key_file->gettext_domain = NULL; } @@ -31,7 +31,7 @@ Index: glib-2.56.2/glib/gkeyfile.c tmp = key_file->groups; while (tmp != NULL) { -@@ -805,6 +813,39 @@ find_file_in_data_dirs (const gchar *f +@@ -806,6 +814,39 @@ find_file_in_data_dirs (const gchar *f return fd; } @@ -71,7 +71,7 @@ Index: glib-2.56.2/glib/gkeyfile.c static gboolean g_key_file_load_from_fd (GKeyFile *key_file, gint fd, -@@ -886,6 +927,9 @@ g_key_file_load_from_fd (GKeyFile +@@ -887,6 +928,9 @@ g_key_file_load_from_fd (GKeyFile G_KEY_FILE_DESKTOP_KEY_GETTEXT_DOMAIN, NULL); @@ -81,7 +81,7 @@ Index: glib-2.56.2/glib/gkeyfile.c return TRUE; } -@@ -942,6 +986,8 @@ g_key_file_load_from_file (GKeyFile +@@ -943,6 +987,8 @@ g_key_file_load_from_file (GKeyFile return FALSE; } @@ -90,7 +90,7 @@ Index: glib-2.56.2/glib/gkeyfile.c return TRUE; } -@@ -1003,6 +1049,9 @@ g_key_file_load_from_data (GKeyFile +@@ -1004,6 +1050,9 @@ g_key_file_load_from_data (GKeyFile G_KEY_FILE_DESKTOP_KEY_GETTEXT_DOMAIN, NULL); @@ -100,7 +100,7 @@ Index: glib-2.56.2/glib/gkeyfile.c return TRUE; } -@@ -1107,6 +1156,9 @@ g_key_file_load_from_dirs (GKeyFile +@@ -1108,6 +1157,9 @@ g_key_file_load_from_dirs (GKeyFile } } @@ -110,7 +110,7 @@ Index: glib-2.56.2/glib/gkeyfile.c if (found_file && full_path) *full_path = output_path; else -@@ -2291,14 +2343,40 @@ g_key_file_get_locale_string (GKeyFile +@@ -2296,14 +2348,40 @@ g_key_file_get_locale_string (GKeyFile { gboolean codeset_set; const gchar *translated; @@ -156,10 +156,10 @@ Index: glib-2.56.2/glib/gkeyfile.c g_free (orig_value); -Index: glib-2.56.2/glib/gkeyfile.h +Index: glib-2.66.5/glib/gkeyfile.h =================================================================== ---- glib-2.56.2.orig/glib/gkeyfile.h 2018-08-17 10:53:47.314889363 +0200 -+++ glib-2.56.2/glib/gkeyfile.h 2018-08-17 10:53:47.330889591 +0200 +--- glib-2.66.5.orig/glib/gkeyfile.h ++++ glib-2.66.5/glib/gkeyfile.h @@ -320,7 +320,7 @@ gboolean g_key_file_remove_group #define G_KEY_FILE_DESKTOP_KEY_URL "URL" #define G_KEY_FILE_DESKTOP_KEY_DBUS_ACTIVATABLE "DBusActivatable" diff --git a/glib2-gdbus-codegen-version.patch b/glib2-gdbus-codegen-version.patch index 7ca27f2..87833ba 100644 --- a/glib2-gdbus-codegen-version.patch +++ b/glib2-gdbus-codegen-version.patch @@ -1,7 +1,7 @@ -Index: glib-2.65.2/gio/gdbus-2.0/codegen/codegen.py +Index: glib-2.66.5/gio/gdbus-2.0/codegen/codegen.py =================================================================== ---- glib-2.65.2.orig/gio/gdbus-2.0/codegen/codegen.py -+++ glib-2.65.2/gio/gdbus-2.0/codegen/codegen.py +--- glib-2.66.5.orig/gio/gdbus-2.0/codegen/codegen.py ++++ glib-2.66.5/gio/gdbus-2.0/codegen/codegen.py @@ -79,8 +79,7 @@ class HeaderCodeGenerator: # ---------------------------------------------------------------------------------------------------- diff --git a/glib2-suppress-schema-deprecated-path-warning.patch b/glib2-suppress-schema-deprecated-path-warning.patch index 7ede53a..992f10f 100644 --- a/glib2-suppress-schema-deprecated-path-warning.patch +++ b/glib2-suppress-schema-deprecated-path-warning.patch @@ -1,8 +1,8 @@ -Index: glib-2.56.2/gio/glib-compile-schemas.c +Index: glib-2.66.5/gio/glib-compile-schemas.c =================================================================== ---- glib-2.56.2.orig/gio/glib-compile-schemas.c 2018-08-17 02:03:20.000000000 +0200 -+++ glib-2.56.2/gio/glib-compile-schemas.c 2018-08-17 10:53:47.342889761 +0200 -@@ -1219,6 +1219,7 @@ parse_state_start_schema (ParseState *s +--- glib-2.66.5.orig/gio/glib-compile-schemas.c ++++ glib-2.66.5/gio/glib-compile-schemas.c +@@ -1232,6 +1232,7 @@ parse_state_start_schema (ParseState *s return; } @@ -10,7 +10,7 @@ Index: glib-2.56.2/gio/glib-compile-schemas.c if (path && (g_str_has_prefix (path, "/apps/") || g_str_has_prefix (path, "/desktop/") || g_str_has_prefix (path, "/system/"))) -@@ -1231,6 +1232,7 @@ parse_state_start_schema (ParseState *s +@@ -1244,6 +1245,7 @@ parse_state_start_schema (ParseState *s g_printerr ("%s\n", message); g_free (message); } diff --git a/glib2.changes b/glib2.changes index 1cd3712..aec75ba 100644 --- a/glib2.changes +++ b/glib2.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Fri Feb 5 10:59:15 UTC 2021 - Bjørn Lie + +- Update to version 2.66.6: + + Fix various instances within GLib where `g_memdup()` was + vulnerable to a silent integer truncation and heap overflow + problem (glgo#GNOME/GLib#2319). + +------------------------------------------------------------------- +Wed Feb 3 18:52:30 UTC 2021 - Bjørn Lie + +- Update to version 2.66.5: + + Fix some issues with handling over-long (invalid) input when + parsing for `GDate`. + + Don’t load GIO modules or parse other GIO environment variables + when `AT_SECURE` is set (i.e. in a setuid/setgid/setcap + process). GIO has always been documented as not being safe to + use in privileged processes, but people persist in using it + unsafely, so these changes should harden things against + potential attacks at least a little. Unfortunately they break a + couple of projects which were relying on reading + `DBUS_SESSION_BUS_ADDRESS`, so GIO continues to read that for + setgid/setcap (but not setuid) processes. This loophole will be + closed in GLib 2.70 (see issue #2316), which should give + modules 6 months to change their behaviour. + + Fix `g_spawn()` searching `PATH` when it wasn’t meant to. + + Bugs fixed: bgo#2168, bgo#2210, bgo#2305, glgo#GNOME/GLib!1820, + glgo#GNOME/GLib!1824, glgo#GNOME/GLib!1831, + glgo#GNOME/GLib!1836, glgo#GNOME/GLib!1864, + glgo#GNOME/GLib!1872, glgo#GNOME/GLib!1913, + glgo#GNOME/GLib!1922. +- Rebase/refresh patches: + + glib2-dbus-socket-path.patch + + glib2-fate300461-gettext-gkeyfile-suse.patch + + glib2-gdbus-codegen-version.patch + + glib2-suppress-schema-deprecated-path-warning.patch + + glib2-bgo569829-gettext-gkeyfile.patch + ------------------------------------------------------------------- Thu Dec 17 21:20:22 UTC 2020 - Bjørn Lie diff --git a/glib2.spec b/glib2.spec index 2e02804..fe23be4 100644 --- a/glib2.spec +++ b/glib2.spec @@ -1,7 +1,7 @@ # # spec file for package glib2 # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %bcond_without systemtap %bcond_without gtk_doc Name: glib2 -Version: 2.66.4 +Version: 2.66.6 Release: 0 Summary: General-Purpose Utility Library License: LGPL-2.1-or-later